自动修补函数偏移

Author: AndroidReverser-Test

README.md

@@ -13,8 +13,6 @@
 
 **set_fun_info**函数用于在so文件的指定偏移处设置uprobe挂载点，并可传递指定函数名。
 
-**set_fun_info2**函数用于在set_fun_info函数设置成功但失效的情况下，与set_fun_info函数作用一致。
-
 **clear_all_uprobes**函数用于清除所有的uprobe挂载点。
 
 上述函数的返回结果有SET_TRACE_SUCCESS、SET_TRACE_ERROR两种，分别表示设置成功和失败。
@@ -26,8 +24,5 @@
 目前只在5.10以及5.15两个版本通过测试，理论上5.10以上版本都能正常使用。
 
 # 一些疑惑
-set_fun_info2函数其实就是将传入的函数偏移-0x1000再传递到内核，为什么要这样做？其实是因为
-在内核使用uprobe_register函数注册uprobe挂载点的时候在一些情况下会出现实际注册的函数偏移比
-传入的偏移多上0x1000，而如果我们传入的偏移-0x1000就正好抵消了这个影响。至于为什么会这样，
-我翻阅linux内核源码发现问题出现于[内存地址计算错误](https://elixir.bootlin.com/linux/v5.15.74/source/kernel/events/uprobes.c#L1004),从这里开始内存地址就多加上了0x1000，我推测是内存页少算了
-一页，但是具体原因不清楚。
+在内核使用uprobe_register函数注册uprobe挂载点的时候在一些特殊情况下会出现实际注册的函数偏移与传入的函数偏移不一致的问题，至于为什么会这样，
+我翻阅linux内核源码发现问题出现于[内存地址计算错误](https://elixir.bootlin.com/linux/v5.15.74/source/kernel/events/uprobes.c#L1004),从这里开始内存地址就出现了偏差，我推测是内存页计算有偏差，但是具体原因不清楚。

kernel_trace.c

@@ -11,10 +11,11 @@
 #include <syscall.h>
 #include <asm/current.h>
 #include <hook.h>
+#include <linux/err.h>
 #include "kernel_trace.h"
 
 KPM_NAME("kernel_trace");
-KPM_VERSION("2.2.0");
+KPM_VERSION("3.0.0");
 KPM_LICENSE("GPL v2");
 KPM_AUTHOR("Test");
 KPM_DESCRIPTION("use uprobe trace some fun in kpm");
@@ -29,26 +30,27 @@ void (*rcu_read_unlock)(void) = 0;
 int (*trace_printk)(unsigned long ip, const char *fmt, ...) = 0;
 
 void *show_map_vma_addr;
+void *build_map_info_addr;
 
 
 char file_name[MAX_PATH_LEN];
 uid_t target_uid = -1;
 unsigned long fun_offsets[MAX_HOOK_NUM];
+unsigned long test_fun_addr;
 int hook_num = 0;
 struct rb_root fun_info_tree = RB_ROOT;
 static struct inode *inode;
 unsigned long module_base = 0;
 static struct uprobe_consumer trace_uc;
+static long long addr_fixer = 0;
 
 
 
 void before_show_map_vma(hook_fargs2_t *args, void *udata)
 {
-    struct seq_file* o_seq_file;
     struct vm_area_struct *ovma;
     unsigned long start, end;
 
-    o_seq_file = (struct seq_file*)args->arg0;
     ovma = (struct vm_area_struct*)args->arg1;
     start = ovma->vm_start;
     end = ovma->vm_end;
@@ -58,6 +60,21 @@ void before_show_map_vma(hook_fargs2_t *args, void *udata)
     }
 }
 
+void after_build_map_info(hook_fargs3_t *args, void *udata)
+{
+    struct map_info *tret = (struct map_info *)args->ret;
+    bool is_register = (bool)args->arg2;
+    unsigned long tvaddr = tret->vaddr;
+    long long fun_offset = (long long)args->arg1;
+
+    if(addr_fixer==0 && tvaddr!=test_fun_addr){
+        addr_fixer = test_fun_addr < tvaddr ? (-(tvaddr-test_fun_addr)) : (test_fun_addr-tvaddr);
+        logkd("+Test-Log+ addr_fixer:%lld\n",addr_fixer);
+        args->ret = ERR_PTR(-TRACE_FLAG);
+        return;
+    }
+}
+
 void before_mincore(hook_fargs3_t *args, void *udata){
     int trace_flag = (int)syscall_argn(args, 1);
     if(trace_flag<TRACE_FLAG || trace_flag>TRACE_FLAG+CLEAR_UPROBE){
@@ -86,7 +103,15 @@ void before_mincore(hook_fargs3_t *args, void *udata){
             goto error_out;
         }
 //        logkd("+Test-Log+ fun_name:%s,fun_offset:0x%llx\n",fun_name,fun_offset);
-        int hret = uprobe_register(inode,fun_offset,&trace_uc);
+        if(addr_fixer==0){
+            test_fun_addr = module_base+fun_offset;
+        }
+        int hret = uprobe_register(inode,fun_offset+addr_fixer,&trace_uc);
+
+        if(hret==-TRACE_FLAG){
+            hret = uprobe_register(inode,fun_offset+addr_fixer,&trace_uc);
+        }
+
         if(hret<0){
             logke("+Test-Log+ set uprobe error in 0x%llx\n",fun_offset);
             goto error_out;
@@ -100,12 +125,14 @@ void before_mincore(hook_fargs3_t *args, void *udata){
     if(trace_info==SET_MODULE_BASE){
         module_base = (unsigned long)syscall_argn(args, 0);
         logkd("+Test-Log+ set module_base:0x%llx\n",module_base);
+        addr_fixer = 0;
         goto success_out;
     }
 
     if(trace_info==SET_TARGET_UID){
         target_uid = (uid_t)syscall_argn(args, 0);
         logkd("+Test-Log+ set target_uid:%d\n",target_uid);
+        addr_fixer = 0;
         goto success_out;
     }
 
@@ -122,17 +149,19 @@ void before_mincore(hook_fargs3_t *args, void *udata){
         inode = igrab(path.dentry->d_inode);
         path_put(&path);
         logkd("+Test-Log+ success set file inode\n");
+        addr_fixer = 0;
         goto success_out;
     }
 
     if(trace_info==CLEAR_UPROBE){
         rcu_read_unlock();//解锁，不然内核会崩
         for (int i = 0; i < hook_num; ++i) {
-            uprobe_unregister(inode,fun_offsets[i],&trace_uc);
+            uprobe_unregister(inode,fun_offsets[i]+addr_fixer,&trace_uc);
         }
         hook_num = 0;
         destroy_entire_tree(&fun_info_tree);
         logkd("+Test-Log+ success clear all uprobes\n");
+        addr_fixer = 0;
         goto success_out;
     }
 
@@ -157,13 +186,8 @@ static int trace_handler(struct uprobe_consumer *self, struct mpt_regs *regs){
     if(uid==target_uid){
         fun_offset = regs->pc-module_base;
         tfun = search_key_value(&fun_info_tree,fun_offset);
-        if(tfun){
+        if(likely(tfun)){
             goto target_out;
-        }else{
-            tfun = search_key_value(&fun_info_tree,fun_offset- 0x1000);
-            if(likely(tfun)){
-                goto target_out;
-            }
         }
     }else{
         goto no_target_out;
@@ -203,6 +227,7 @@ static long kernel_trace_init(const char *args, const char *event, void *__user
     trace_printk = (typeof(trace_printk))kallsyms_lookup_name("__trace_printk");
 
     show_map_vma_addr = (void *)kallsyms_lookup_name("show_map_vma");
+    build_map_info_addr = (void *)kallsyms_lookup_name("build_map_info");
 
     logkd("+Test-Log+ mtask_pid_nr_ns:%llx\n",mtask_pid_nr_ns);
     logkd("+Test-Log+ uprobe_register:%llx\n",uprobe_register);
@@ -221,11 +246,12 @@ static long kernel_trace_init(const char *args, const char *event, void *__user
     logkd("+Test-Log+ trace_printk:%llx\n",trace_printk);
 
     logkd("+Test-Log+ show_map_vma_addr:%llx\n",show_map_vma_addr);
+    logkd("+Test-Log+ build_map_info_addr:%llx\n",build_map_info_addr);
 
     if(!(mtask_pid_nr_ns && uprobe_register && uprobe_unregister
     && kern_path && igrab && path_put && rcu_read_unlock
     && rb_erase && rb_insert_color && rb_first && trace_printk
-    && show_map_vma_addr)){
+    && show_map_vma_addr && build_map_info_addr)){
         logke("+Test-Log+ can not find some fun addr\n");
         return -1;
     }
@@ -244,6 +270,11 @@ static long kernel_trace_init(const char *args, const char *event, void *__user
         return -1;
     }
 
+     err = hook_wrap2(build_map_info_addr,NULL,after_build_map_info,0);
+    if(err){
+        logke("+Test-Log+ hook build_map_info error\n");
+        return -1;
+    }
 
     logkd("+Test-Log+ success init\n");
     return 0;
@@ -260,9 +291,10 @@ static long kernel_trace_exit(void *__user reserved)
 {
     inline_unhook_syscall(__NR_mincore, before_mincore, 0);
     unhook(show_map_vma_addr);
+    unhook(build_map_info_addr);
     rcu_read_unlock();//解锁，不然内核会崩
     for (int i = 0; i < hook_num; ++i) {
-        uprobe_unregister(inode,fun_offsets[i],&trace_uc);
+        uprobe_unregister(inode,fun_offsets[i]+addr_fixer,&trace_uc);
     }
     logkd("+Test-Log+ success clear all uprobes\n");
     destroy_entire_tree(&fun_info_tree);

kernel_trace.h

@@ -81,4 +81,10 @@ struct vm_area_struct {
     unsigned long vm_end;
 };
 
+struct map_info {
+    struct map_info *next;
+    struct mm_struct *mm;
+    unsigned long vaddr;
+};
+
 struct pid_namespace;

user/uprobe_trace_user.h

@@ -37,13 +37,6 @@ int set_fun_info(unsigned long fun_offset,char *fun_name){
     return ret;
 }
 
-//set_fun_info函数设置成功但失效的情况下再用这个函数
-//，最好在一个程序内不要与set_fun_info函数同时使用
-int set_fun_info2(unsigned long fun_offset,char *fun_name){
-    int ret = syscall(__NR_mincore,fun_offset-0x1000,TRACE_FLAG+SET_FUN_INFO,fun_name);
-    return ret;
-}
-
 int clear_all_uprobes(){
     int ret = syscall(__NR_mincore,0,TRACE_FLAG+CLEAR_UPROBE,"");
     return ret;